Airlines warn of data breaches after SITA passenger system hack

Global air transport data giant SITA has confirmed a data breach involving passenger data.

The company said in a brief statement on Thursday that it had been the “victim of a cyberattack,” and that certain passenger data stored on its U.S. servers had been breached. The cyberattack was confirmed on February 24, after which the company contacted affected airlines.

SITA is one of the largest aviation IT companies in the world, said to be serving around 90% of the world’s airlines, which rely on the company’s passenger service system Horizon to manage reservations, ticketing and aircraft departures.

When reached, SITA spokesperson Edna Ayme-Yahil declined to say what specific data had been taken, citing an ongoing investigation. The company said that the incident “affects various airlines around the world, not just in the United States.”

SITA confirmed it had notified several airlines — Malaysia Airlines; Finnair; Singapore Airlines; and Jeju Air, an airline in South Korea — which have already made statements about the breach.

Cathay Pacific, Air New Zealand, and Lufthansa are also affected by the incident.

In an email to affected customers seen by TechCrunch, Singapore Airlines said it was not a customer of SITA’s Horizon passenger service system but that about half a million frequent flyer members had their membership number and tier status compromised. The airline said that the transfer of this kind of data is “necessary to enable verification of the membership tier status, and to accord to member airlines’ customers the relevant benefits while traveling.”

The airline said passenger itineraries, reservations, ticketing and passport data were not affected.

United became the latest airline to warn its travelers that data related to members of its Star Alliance frequent flyers club was affected, but that “no other personal information or passwords were exposed that would allow anyone to access your MileagePlus account.” United, confusingly, nevertheless asked its customers to change their passwords “out of an abundance of caution.”

American Airlines was also hit, the company confirmed in an email to customers. The company said it did not use SITA’s Horizon system but that its frequent flyer information passes through the system to provide loyalty points from other airlines.

SITA is one of a handful of companies in the aviation market providing passenger ticketing and reservation systems to airlines, alongside Sabre and Amadeus.

Sabre reported a major data breach in mid-2017 affecting its hotel reservation system, after hackers scraped over a million customer credit cards. The U.S.-based company agreed in December to a $2.4 million settlement and to make changes to its cybersecurity policies following the breach.

In 2019, a security researcher found a vulnerability in Amadeus’ passenger booking system, used by Air France, British Airways and Qantas among others, which made it easy to alter or access traveler records.

Updated Saturday with details from United and American Airlines.